Are you SOC2 or ISO27001 compliant - theliberators/columinity.docs GitHub Wiki

We take security and data protection very seriously at Columinity:

  • We fully comply with the European General Data Protection Regulation (GPDR), the world's strongest privacy and data protection law. This law restricts our ability to collect personal data and requires strong protections. Moreover, it requires full transparency in what kind of personal data we collect and how we process it, as we do in our data protection agreements (DPA).
  • We are compliant with IASME Institute Cyber Essentials. Our company has been audited by one of their auditors. The certificate is available here.
  • Each year, an external security firm attempts to breach our systems. No serious issues have been found, and we are happy to share their findings in a personal Zoom call.
  • We have an expansive internal security policy to ensure that we are aware of attack surfaces and limit them as much as possible.
  • We have designed Columinity from the ground up to collect as little personal data as possible. Our principle is: "The less we know about you, the better". At the time of writing, this concerns only optional email addresses.

We'd love to add SOC2 and ISO27001 to the checklist of the many things we already do to secure our platform. Unfortunately, such audits cost between 20.000 and 50.000 euros and must be renewed annually. Since we're a very small operation, this would drain most of our annual revenue. Another consideration is that SOC2 and ISO27001 are audits of procedures and policies, which make sense if you have many internal and external employees working on a platform. However, our team consists of 3 people and only 1 can access Columinity's data, infrastructure, and codebase. Finally, SOC2 and ISO27001 are very understandable requirements for software that collects sensitive personal data or your company's IP, which is, unfortunately, still the norm. This makes such platforms juicy targets for hackers. Columinity breaks this norm by collecting as little data as possible.

We can better secure our platform and protect our data by investing in active protection measures (like pen tests) rather than passive audits. We are happy to tell you all about how we secure our platform in a personal Zoom call.